Mass surveillance is Being Undermined by the ‘Snowden Effect’

Uploaded on 2015-06-11 in NEWS-Cybersecurity News, FREE TO VIEW

images?q=tbn:ANd9GcSaVZsC4O01k2zO_JsxeOSUw3QZru5SN-hydKPZFLwR7c4KiHkh

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos

We are in the middle of a Crypto war again. Perhaps we have always been in the middle of a Crypto war. Since the 70s, the right and ability to encrypt private communications has been fought over, time and again. Here in the UK, Cameron’s re-election has prompted reports of a ‘turbo-charged’ version of the so-called ‘Snoopers’ Charter’, extending further the powers of surveillance that the whistleblower Edward Snowden described as having ‘no limits’.

Two nights ago, the US Patriot Act expired. With it, at least officially, elements of the NSA’s bulk surveillance programme expired too. The law was passed in the wake of 9/11, in order to ‘strengthen domestic security’ and ‘broaden the powers of law-enforcement agencies with regards to identifying and stopping terrorists’. Section 215 of the Act had allowed the NSA to collect mobile phone data on millions of Americans. For the time being, that provision has gone. In the same week, the UN published a report saying encryption is ‘crucial for human rights’.

But the law is only half the story. Privacy advocates were, of course, cautious not to overstate the significance of the act’s suspension. But behind this caution, their successes are far more extensive than the symbolic demise of the Patriot Act. From the perspective of surveillance, the damage has already been done.

The ‘Snowden effect’, named after the whistleblower responsible for outing government surveillance in the US and UK, has brought more companies and technologists to the fight. Their purpose? To provide privacy tools that are powerful, open-source and accessible to the masses. And these groups are winning. As fears over our privacy continue to grow and the government talks about further extending surveillance capability, ordinary people are turning to these tools. What’s more, for the first time, they are beginning to be adopted on a massive scale.

Scale is a significant change, and a significant challenge to security services. Take Tor. Tor is a web browser-cum-network that scrambles your connections and makes your internet browsing more difficult to track. Both Tor and other publicly-available encryption tools always come with a caveat. Although frequently very powerful, especially in combination with one another, they are not perfect. With enough work and with the resources at the disposal of government organisations, a single user’s communications are at risk: the sheer firepower that the security services can use to break into secure channels means that a single suspect is up against it.

This is probably a good thing. If we believe our security services should have the resources to protect us from those who would plan acts of terrorism, for example, then they must be able to intercept the communications of suspects under investigation. Isis advise use of encryption to its supporters in order to protect their identities and whereabouts. Anders Breivik wrote a blog on it. If a suspect was under investigation we would rightly expect MI5 to use wiretaps and human surveillance, after all. Digital communications should be no different.

But what the mass uptake of this kind of software threatens is mass surveillance. Cracking one encryption key is difficult but possible. Cracking millions is a different proposition. Mass uptake of encryption and of VPNs – virtual private networks designed to hide your identity – is anathema to dragnet collection of data.

Take instant messaging, for example. It is estimated that the 700m users of the app WhatsApp currently send thirty billion messages a day. This alone poses a real challenge to those calling for those messages to be somehow ‘read’ and analysed; how on earth do you read 350,000 messages a second? Over the past few years the Centre for the Analysis of Social media at Demos has done a lot of work in partnership with the University of Sussex on ‘Natural Language Processing’, the science of teaching computers to find meaning in the words we use. Conclusion: it isn’t easy. Algorithms are never perfect, and they go out of date quickly as the way we speak changes.

But now, WhatsApp on Android is end-to-end encrypted, with the possibility of extending this to iOS. Thirty billion encrypted messages a day on one platform alone. True, the levels of encryption provided to a single user under investigation won’t stand up to security service surgery, but they will provide a strong barrier to understanding this data in bulk.

WhatsApp is owned by Facebook. Today, Facebook announced the site would allow its users to encrypt emails sent from the site to their personal accounts. It already provides a ‘dark web’ link which allows access through Tor. Whether its users will take advantage of this to increase their levels of security isn’t clear, but it is tacit approval of encryption from one of the biggest technology companies on the planet. And it isn’t just encrypted communications that are becoming more mainstream.

Hola is a peer-to-peer network. It claims to ‘provide everyone on the planet with freedom to access all of the Web’. Put simply, when you use it, your connection is routed through somebody else’s computer, and when you’re not using it, your computer is offered to others for the same purpose. It is wildly popular among those looking to dodge restrictions placed on, say, television shows. Recent estimates place its use at fifty million worldwide.

Hola has been the subject of some controversy of late: above all, they weren’t quite being straight up about the risks of letting somebody else use your internet connection. Nevertheless, it is the first example of a network that is both very difficult to monitor and censor that has really hit the mainstream by offering a slick and desirable service. The much more ethically-sound and established Tor browser has less than a tenth of its userbase, but is also growing. The Ethereum project is a similar attempt to decentralise the internet and take it out of the control of the government and big companies, making it more private and impossible to censor. It raised $12 million in crowd-funded support.

What this means for the security services, and our own security, is difficult to say. The UN has recognised the vital role these tools play in protecting those at risk of oppression. Human rights activists living under government oppression, for example, or citizens looking to bypass government censorship all rely on these tools daily to avoid persecution. In our recent Demos report with my colleague Jamie Bartlett we argue that there is a balance that must be struck in dealing with this kind of powerful technology.

But lack of dialogue between governments and cryptographers, the no-man’s land between the two sides of this crypto war, is deafening. As long as the security services remain silent and Snowden keeps talking, encryption and moves to protect private communication on the internet will accelerate. It is time the government joined the debate, not as enemies of privacy, but as level-headed, publicly accountable figures whose job it is to protect us from those who would do us harm.

Spectator: http://ow.ly/NRX6b 

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos. He can be found tweeting @akrasodomski

« Cyber Vulnerability Report 2015
NSA Surveillance Reform - Snowden’s Vindication. »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Seqrite

Seqrite

Seqrite offers a highly advanced range of enterprise and IT security solutions to protect your organization's most critical data.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Cyber Pathways

Cyber Pathways

Cyber Pathways brings together the next generation of Cyber professionals along with delegates who are looking to cross train and enter the cyber market.

Secmation

Secmation

Secmation are an agile engineering services firm providing advanced DoD level security design and consultation services for both commercial and defense hardware and software applications.

Kontron

Kontron

Kontron offers a combined portfolio of secure hardware, middleware and services for Internet of Things (IoT) and Industry 4.0 applications.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

ArmorCode

ArmorCode

ArmorCode's intelligent application security platform gives us unified visibility into AppSec postures and automates complex DevSecOps workflows.

BlastWave

BlastWave

BlastWave deliver Operational Technology Cybersecurity solutions that minimize the available attack surface and protect against the rising tide of AI-powered cyber attacks.

Schillings

Schillings

Shillings defends your rights to privacy, reuptation and security. We fight passionately against breaches of your privacy, attacks on your reputation and threats to your security.

Kong

Kong

Kong - powering the API world. Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.

TisOva

TisOva

TisOva is an innovative cybersecurity startup dedicated to addressing the growing issue of online scams targeting students.

Locket Cybersecurity

Locket Cybersecurity

Locket’s certified students provide pro-bono security audits for small and medium-sized businesses in the Chicagoland area.